Internet Elections

In response to the recent report by the chief Electoral Officer regarding electronic voting, I sent the following brief email to elections canada

Yes, lift the ban. It is silly and unenforceable.

DO NOT IMPLEMENT ELECTRONIC VOTING. It cannot be done anonymously and verifiably. Two key requirements for democratic elections.

Do more advance polls if you like, have pollsters go to peoples houses if you like, but do not get rid of the paper ballot. It is the irreplaceable cornerstone of democracy.

Impressively, today I received the following reply from Elections Canada, which is actually more than a mere form letter.

Dear Mr. Moore:

Thank you for your e-mail of August 18, 2011, regarding the Internet voting pilot project.

The Canadian electoral system is known as one of the most accessible in the world and, for most electors in Canada, the current methods for casting a ballot work well. However, increasing voting options could improve accessibility for electors who find it inconvenient, difficult or impossible to vote by conventional means. The goal of Internet voting would be to offer Canadians another convenient way to vote, not to replace existing voting methods.

Elections Canada has committed in its Strategic Plan 2008-2013 (available on the Elections Canada Web site at www.elections.ca) to improve the accessibility of the electoral process by testing innovative ways to vote.

In keeping with the commitment to improve accessibility, an Internet voting pilot project will be implemented during a federal electoral event called after March 2013. The objective of the pilot project is to develop the means to integrate Internet voting into the existing, paper-based, process.

In your e-mail you expressed concern about the integrity of an Internet voting system. Maintaining the security of the electoral system and the trust of Canadians is of utmost importance. A new voting process must be safe, reliable, and maintain or enhance the integrity of the electoral process. Electronic and procedural safeguards will be put in place to preserve the integrity of the process. Further to these measures, privacy and secrecy will also be protected by legislation as is the case with the National Register of Electors where information can be used for electoral purposes only.

We understand Internet voting requires careful planning and design to ensure the system is secure, reliable and accurate. Elections Canada’s technological environment meets its current needs, but to meet the objectives set out in its Strategic Plan 2008-2013, a new environment will be developed to allow for a more accessible and secure system.

To date, the Internet voting pilot project is in a research phase, studying matters such as security, secrecy and auditing. Elections Canada is also undertaking further research to explore technical, sociological and legal issues surrounding Internet voting.

As part of our preparations to date, Elections Canada commissioned research to assess Internet voting in Canadian municipalities and European jurisdictions. A study entitled, “Internet Voting – What Can Canada Learn?,” examined the use of Internet voting and helped refine our research plans and better understand Internet voting issues. In addition, a workshop held at Carleton University in Ottawa on January 26, 2010, brought together technical experts, electoral practitioners and prominent scholars in the field of Internet voting. This study is available on the Elections Canada Web site. Other jurisdictions interested in Internet voting may have published similar studies on their Web sites.

Any recommendation to proceed with the Internet voting pilot project will be contingent on the conclusions of a security risk analysis, which will identify the precautions that must be taken to ensure that this voting method would be reliable and secure, and must be approved by the House of Commons and Senate committees.

In the context of the pilot project, Internet voting will be tested on a select group of electors in a controlled environment and an evaluation of the pilot project will be conducted following its implementation. Depending on the results, further opportunities will be considered.

Thank you for your interest in the federal electoral process. For more information, visit Elections Canada’s Web site at www.elections.ca, or call 1‑866-222-2565 toll-free in Canada and the United States, Monday to Friday, 8:30 a.m. to 16:30 (Eastern Time).

Regards,

Enquiries Agent

Special Voting Rules Service Centre

Elections Canada

I am glad they appear to be taking this seriously, however I am concerned that they have not yet been able to conclude that it is impossible to have an Internet voting system which is both secure/verifiable AND anonymous. These are two qualities which are mutually exclusive on the Internet. In order for one to fully exist, the other has to give up some of its vital attributes. (A little like having third party copyright locks on your hardware and still expecting that to be secure.) There is no system yet devised which can replace the paper ballot. The comparison their email makes between security of the votes and the National Register of Electors, is totally inappropriate as in the latter case you are only tracking who can vote. In the former, you are tracking the actual vote, as well as who made it. There is no department, no matter how far removed from government they may be, which can be trusted with this information and preserve the integrity of the process.


My last critisism of their reply has to do with the footer in the email which reads as follows:

This e-mail message as well as any attachments are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), you should not use, store, copy or distribute this e-mail. Please notify the sender immediately if you have received this e-mail in error and delete this e-mail as well as all attachments, and destroy all copies. Any dissemination, copying or use of this e-mail is strictly prohibited.

Interestingly if what I had received from them was a phone call instead of an email, I would have been perfectly within my rights to record the conversation, however as an email, Elections Canada believes they can restrict my dissemination of the information they are sharing with me.

I am grateful for the information they share, and welcome their response. I will followup the references they provided as well, but I am insulted that they feel it is appropriate to restrict my further dissemination of this public information. At the very least they should have multiple email templates any only use ones claiming confidentiality where in fact the content is confidential.

Yet another example of copyright laws being used to (perhaps inadvertently in this case) stifle public discourse. Shameful.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Footer

Interesting that it doesn't actually mention copyright at all in that footer. You could certainly argue that an email is copyrighted whereas a phone call isn't (because it isn't "fixed"). "dissemination, copying" could certainly be restricted by copyright, but "use" ? I can't think of any law that allows you to prohibit "use" of an email.... I wonder if the intent is that those last two sentences be more tightly coupled - as in "don't do anything with this email if it wasn't to you" (that would fit with, but also duplicate, the 2nd sentence), but even there, it begs the question - "prohibited on what grounds ?"

Perhaps within their context, they trust them selves to deal wit

... To deal with teh mutual exclusion.

For example if they were to make a database that said I votes Mauve and you voted grey, and someone else voted yellow, BUT they were only going to release the totals, and destroy the database after the election.

You would have to Increase the level of trust you place in them, compared to the paper ballot. You will never see the paper ballots for an election, and you have to trust that the published counts are correct.

The level of sophistication required is much more than our pals at Dibold managed to achieve of course, but electrons Canada is very multi-partisan.

I might be somewhat like the census, where you can get the totals, rounded off, but not access anyone's answers.

voting systems that rely on trust are inherently faulty

Indeed Charles, the level of trust you place in them would have to be greater, and that is precisely the problem. The system has to be designed such that a minimal amount of trust in ANYONE is necessary. The more trust that is required the more the system will be susceptible to tampering.

With the paper ballot system there is a minimal amount of trust required. My vote goes on a piece of paper and the scrutineers for the various candidates have the ability at the end of the day to examine both the ballots and the elector list, but there is no information which links the two directly. This gives us both anonymity for the individual vote, and accountability in terms of who the voters are.

I can be sure that my ballot went in the box, and the scrutineers can be sure that I am an eligible voter and only eligible voters had the privilege of having ballots. The only way to ensure both these things in a digital world is to also have data which links the two. This is because digital ballots do not physically exist and can therefore more easily be counterfeited. But as soon as you link them you have lost anonymity.

I love technology. I create more of it every day, and while I do believe there is a place for electronic voting, (I've even created machines for this purpose in the past) I strongly believe that general elections are not one of them.

Like the census debacle , allowing Internet voting will reduce the quality of the product. Unlike the census debacle, the product is the core of our democratic system of government. Do we really want to lower the quality of that?

anonymous e-voting

I'm not convinced that anonymous e-voting is necessarily impossible. It seems to me that one can replicate the essential features of the paper system. Essentially, the paper system boils down to a two-stage authentication, where the stages can't be correlated. In stage one, identity is verified against the voter list, and a token (ballot) is handed out. The token is itself verifiable, but there is no stored association between the token and the voter.

Exactly the same two-stage process could be implemented by generating a pool of GUIDs and randomly assigning them to the voting transaction, without recording who received which one. I haven't thought it through, but it seems like it ought to be possible to use a one-way hash to make it possible to verify that one's vote has been accurately recorded without compromising its anonymity.

Of course this is not to say that such a system could not be gamed. But I think it would replicate the features of the paper system.

Not impossible to do right, but improbable.

I agree that a process that involves a voter verifiable electronic ballot can be designed, implemented, and possibly even used by technical people.

What I don't believe is that our government, which has demonstrated a willingness to dive forward with policy without the slightest understanding of the policy, will use a proper electronic ballot.

There is a common misconception that voting is like banking -- that the security threat is from a third party pretending to be me in an interaction with the bank. This is a very simple security model where it is all about two parties communicating where they trust each other, and the attacker is a third party.

With voting you still have the threat of third party attackers, but you also must *NEVER* trust either the system collecting the votes or the voter. The security model has no relation at all to banking, and any system designed with the misconception that it relates to banking will lead to electoral corruption.

In the cast of banking the communication is with the bank, and the bank is inherently trustworthy. In the case of voting the communication is with a government agency, and that agency (or the private sector designers of the technology, if they outsource) should be treated as the greatest threat and least trustworthy.

I'm sorry, but if the government can't understand the simple things we are saying in the context of anti-circumvention legislation (2 locks, and what in the real world each lock can do), how can they possibly understand the more complex systems required for voting?

And don't get me started on how these two things interact: how a non-owner locked device is by definition not trustworthy to use to vote with given the effective owner (holder of keys) is the actual voter.

Identify the requirements

In that case, it seems to me all the more necessary to focus on identifying the true requirements and convincing the appropriate people (inside and outside government) of what they are. If one simply says "it can't be done", when in fact it can, one loses credibility.

This is a critical problem if the people who are going to make the decisions don't understand the problems involved. They will go ahead anyway, and they will not take advice from people who they may view as simply being opposed to any scheme at all.

The problem is not that it can't be done. The problem is not even that it necessarily shouldn't be done. The problem is that the wrong requirements (cost, convenience, etc., rather than integrity and verifiability) are driving the decisions. In such a circumstance, attempts to simply prevent anything from happening strike me as dangerously counterproductive. They will fail and they will undermine any opportunity to improve the outcome.

Yes, but...

The problem is that not doing it at all is far superior to not doing it 100% correct. Any deviation from the stated requirements (anonymous, verifiable, trust no party in the transaction) will corrupt the electoral and thus the democratic process.

What is required is to ensure that the requirements are well known such that other people who have never thought about these things before can come to the same conclusion on their own.

imperfect systems

Well here is where I disagree. All systems are imperfect, including the one we have now. The current system is potentially vulnerable to various kinds of fraud and also deters or prevents some eligible voters from participating. So 100% correctness is not a reasonable standard to demand. What is reasonable is that the new system not be obviously worse than the old one. If, by insisting on the unreasonable, we fail to ensure that a workable but flawed system is selected in preference to an unworkable system, we have done nobody any service.

Stand corrected, but....

And here is the but...

Being involved in technology law debates has exposed me to just how little the general public (and our various decision makers) understand technology. For far too many it really is a magic box, and that puts *FAR* to much unaccountable and non-transparent power in the hands of the "magicians".

For me, the least trustworthy party in the usage of an electronically assisted voting system is the provider of the technology. Unfortunately, for most people, this is the party they are least aware of and thus the party they are least able to protect against.

Those who concern themselves about the legitimacy of elections at all may be worried about voters pretending to be someone they aren't (or buying votes, or voting twice, whatever), and the political parties or government representatives corrupting the electoral process (although far too many westerners invalidly believe that is a problem "over there"). While I worry about these things as well, I am comforted by the fact there is sufficient understanding of the corruptibility of the system by these entities. I am not comfortable at all that we as a society have matured our understanding of the impact of technology in society to yet adequately protect against corruption introduced by the providers of the technology.

Russell, in the case of

Russell, in the case of electronic voting, there are three parties. None of which can be trusted. The voter, the agency, and the software.

I do not see any way you can have a system in which all three of these parties can adequately be monitored to ensure there is no cheating AND not be able to link individual votes to individual voters. In some way we end up having to trust at least one of these parties more than we currently do with a paper ballot system. That, by definition, makes electronic voting worse than paper ballots.

"The token is itself

"The token is itself verifiable, but there is no stored association between the token and the voter."

And this is the part that you are taking on faith requiring you to put greater trust in the system then a paper ballot system is required.

Trust but verify

No, I don't agree. It is exactly the same trust, because it is exactly the same issue: whether the system is implemented as specified. In the case of the paper ballot, we watch them cross our names off the list and hand us a ballot, but we can't really be certain the ballot hasn't been marked in some way. It would require some level of active deceit, but if we presume someone is trying to game the system, that's a given.

I'm also not taking it on faith, I'm specifying a requirement. But one would need to be able to assess compliance, of course. So the source code of the electronic system would have to be available for auditing. But if that is the case, we have the same scenario: an observable system that appears not to be creating any linkage between the two verifiable tokens. The fact that the software system may be harder to observe is relevant to the overall assessment, but both rely on some level of independent oversight for control. The average voter will not perform that check him or herself in either case.